ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS
service - Unauthorized Access


Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA, probably others
Vendor URL: http://SAP.com
Bugs: Unauthorized access
Sent: 20.04.2013
Reported: 21.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 13.10.2015
Reference: SAP Security Note 1945215
Author: Alexander Polyakov (ERPScan)


Description
1. ADVISORY INFORMATION
Title: SAP NetWeaver J2EE DAS service – Unauthorized Access
Advisory ID: [ERPSCAN-15-017]
Risk: High
Advisory URL: http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/
Date published: 13.10.2015
Vendors contacted: SAP


2. VULNERABILITY INFORMATION
Class: Unauthorized Access [CWE-284]
Impact: Unauthorized access to some functions
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information
CVSS Base Score:  3.5 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range)
Network (N)
AC : Access Complexity (Required attack complexity)
Medium (M)
Au : Authentication (Level of authentication needed to exploit)
Single (S)
C : Impact to Confidentiality
Partial (P)
I  : Impact to Integrity
None (N)
A : Impact to Availability
None (N)

3. VULNERABILITY DESCRIPTION
An authenticated user can use the functions of XML Data Archiving
Service access to which should be restricted. This may result in
privilege escalation.


4. VULNERABLE PACKAGES
SAP NetWeaver AS JAVA
Other versions are probably affected too, but they were not checked.


5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install  SAP Security Note 1945215.


6. AUTHOR
Alexander Polyakov (ERPScan)


7. TECHNICAL DESCRIPTION
It is possible to call some of the DAS files without authorization
because they do not check if a user is authorized to access some of
the JSPs.

Most JSPs have authorization checks:

String authorization = (String) session.getAttribute("AuthRequHead");
if (authorization == null)
        authorization = "";

But in 3 JSPs those checks are not included:

http://SAP_IP/DataArchivingService/webcontent/cas/cas_enter.jsp
http://SAP_IP/DataArchivingService/webcontent/cas/cas_validate.jsp
http://SAP_IP/DataArchivingService/webcontent/aas/aas_store.jsp

It means that an anonymous user can call those JSPs.

The most critical one is cas_enter.jsp.

We can create any archiving directory and also:
1) Check if there is any file or directory on the server by analyzing
the response while creating an archive store
2) Perform an SMBRelay attack by putting something like
\\remotehost\aa  into the Windows root variable
3) Potentially make HTTP calls and other calls while using WebDav


8. REPORT TIMELINE
Sent: 20.04.2013
Reported: 21.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 13.10.2015


9. REFERENCES
http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/


10. ABOUT ERPScan Research
The company’s expertise is based on the research subdivision of
ERPScan, which is engaged in vulnerability research and analysis of
critical enterprise applications. It has achieved multiple
acknowledgments from the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for exposing 400+ vulnerabilities in their
solutions (200 of them just in SAP!).
ERPScan researchers are proud to have exposed new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and were
nominated for best server-side vulnerability at BlackHat 2013.
ERPScan experts have been invited to speak, present, and train at 60+
prime international security conferences in 25+ countries across the
continents. These include BlackHat, RSA, HITB as well as private
trainings for SAP in several Fortune 2000 companies.
ERPScan researchers lead project EAS-SEC, which is focused on
enterprise application security research and awareness. They have
published 3 exhaustive annual award-winning surveys about SAP
security.
ERPScan experts have been interviewed by leading media resources and
specialized info-sec publications worldwide: Reuters, Yahoo, SC
Magazine, The Register, CIO, PC World, DarkReading, Heise, and
Chinabyte, to name a few.
We have highly qualified experts in staff with experience in many
different fields of security, from web applications and
mobile/embedded to reverse engineering and ICS/SCADA systems,
accumulating their experience to conduct research in SAP security.


11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Security provider. Founded in 2010, the company operates globally and
enables large Oil and Gas, Financial, and Retail organizations to
secure their mission-critical processes. Named an Emerging Vendor in
Security by CRN, listed among TOP 100 SAP Solution Providers and
distinguished by 30+ other awards, ERPScan is the leading SAP SE
partner in discovering and resolving security vulnerabilities. ERPScan
consultants work with SAP SE in Walldorf to assist in improving the
security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions to evaluate and secure SAP
and Oracle ERP systems and business-critical applications from both
cyber-attacks and internal fraud. Usually our clients are large
enterprises, Fortune 2000 companies, and managed service providers
whose requirements are to actively monitor and manage security of vast
SAP landscapes on a global scale.
We ‘follow the sun’ and function in two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services and agile support,
operate local offices and partner network spanning 20+ countries
around the globe.


USA address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
http://erpscan.com